CVE-2021-35530

User authentication bypass in TXpert Hub CoreTec 4

Description

A vulnerability in the application authentication and authorization mechanism in Hitachi Energy's TXpert Hub CoreTec 4, that depends on a token validation of the session identifier, allows an unauthorized modified message to be executed in the server enabling an unauthorized actor to change an existing user password, and further gain authorized access into the system via login mechanism. This issue affects: Hitachi Energy TXpert Hub CoreTec 4 version 2.0.0 2.1.0; 2.1.0; 2.1.1; 2.1.2; 2.1.3; 2.2.0; 2.2.1.

Remediation

Solution:

  • Update the system to TXpert Hub CoreTec 4 version 2.3.0 that fixes the issues.

Category

6.0
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.03%
Vendor Advisory abb.com
Affected: Hitachi Energy TXpert Hub CoreTec 4 version
Published at:
Updated at:

References

Link Tags
https://search.abb.com/library/Download.aspx?DocumentID=8DBD000080&LanguageCode=en&DocumentPartId=&Action=Launch&utm_campaign=&utm_content=2022.04_5763_Cybersecurity%20Advisory%20Update_May_03&utm_medium=email&utm_source=Eloqua vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-35530?
CVE-2021-35530 has been scored as a medium severity vulnerability.
How to fix CVE-2021-35530?
To fix CVE-2021-35530: Update the system to TXpert Hub CoreTec 4 version 2.3.0 that fixes the issues.
Is CVE-2021-35530 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-35530 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-35530?
CVE-2021-35530 affects Hitachi Energy TXpert Hub CoreTec 4 version.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.